[Excom] Fwd: A first look at the African’s ccTLDs technical environment

Barrack Otieno barrack at aftld.org
Tue Oct 6 15:07:18 EAT 2020 

Dear EXCOM,

This might be of interest. Kindly share any feedback you may have.

Best Regards

-------- Original Message --------
Subject: A first look at the African’s ccTLDs technical environment
Date: 2020-10-06 12:00
 From: Alfred Arouna <alfred at simula.no>
To: barrack at aftld.org
Cc: "amreesh at afrinic.net" <amreesh at afrinic.net>, Ahmed Elmokashfi 
<ahmed at simula.no>

Hello,

To better understand African ccTLDs technical environment, we have
conducted a research  that will be part of EAI Africomm 2020
proceedings:  "A first look at the African’s ccTLDs technical
environment”.

https://africommconference.eai-conferences.org/2020/accepted-papers/

We have evaluate 54 African ccTLDs technical environment on several
aspects: ccTLD reachability, Prefixes origin (RIR) of NS, Anycast,
DNSSEC (zone signing) and misconfiguration report with zonemaster tool.

As overall, African  ccTLDs are characterised by the usage of out of
region resources.

We would like to get your feedbacks and comments/recommendations
related to our results.

Our findings, so far:

1 - ccTLD reachability

     1.1 - Compared to top 10 ccTLDs,  African ccTLDs appear to have
enough IPs to maintain service availability  while handling
authoritative DNS queries. In IPv4 the median number is 4 while the
median number for IPv6 is 2.  More than 90% of African ccTLDs
nameservers have IPv6, which match with one of your goal
(https://dnsforum.africa/history-and-future/). For IPv6, we assume it
will follow IPv6 adoption pattern in the region.

     1.2 - From ASN perspective, African ccTLDs are less resilient in
IPv6. A disruption affecting one ASN (for 10 ccTLDs) or two ASN (for 17
ccTLDs) on IPv6 traffic can make some African ccTLDs unavailable from
the Internet. For IPv4, all African ccTLDs  are served from two or more
ASN, except Ethiopia.

2 - Prefixes Origin

     2.1 - We notice that many ccTLDs are using resources from other
RIRs, which is good in term of availability, But there is a clear
correlation between IPv6 adoption and the use of external DNS provider:
IPv6 usage is driven by the use of external (not from AFRINIC region)
DNS provider. The hight ratio of African ccTLDs using IPv6 is  somewhat
“artificial”.

     2.2 - In worst case scenario, this could have a negative impact on
DNS resolution time for users in the country, but it suggests that the
local ecosystem in not mature yet to host IPv6 services.

3 - Anycast usage

     3.1 - 80% of African ccTLDs are using anycast. However, when
correlating with 1 and 2, it is clear that the targeted market is not
the African one. For instance, Namibia (NA),Somalia (SO), and the
Freenom customers has 100% anycast ratio for both IPv4 and IPv6. This is
correlate to the 100% out of region resources usage from these ccTLDs
from 2.

  3.2 -  AFRINIC (29%), RIPE-NCC(12%) and PCH (35%) together manage more
than 75% of anycast DNS traffic in AFRINIC region. If we add Netnode
DNSNODE (8%), the majority (84%) of African anycast traffic is handled
by non-profit foundations and/or organisations. However, the advantages
given by the use of anycast seems not to target African Internet  users.
In term of routing, using these out of region anycast providers (using
their RIR resources) is not helpful for the African market.

4 - DNSSEC zone signing

     4.1 - Less than 30% (16) of African ccTLD have signed their zone.
Madagascar and Zambia use to enable DNSSEC, but as for now, there is no
DS in the root. We have contacted them, but only Madagascar reply to our
email: "Temporarily we have unconnected it for internal reasons, but
we'll take it again asap. “. Your goal of having 50% of African ccTLDs
with DNSSEC seems achievable with some effort.

     4.2 - Namibia which is the first to sign his zone (july 2012) seems
not following best practice. They still use deprecated RSASHA1 which is
subject to efficient collision attack. Senegal (SN) is the very first
and onlyAfrican ccTLD using Algorithms 13 ECDSAP256SHA256. 10 over 16 of
African ccTLDs are using recommended algorithm RSASHA256 (Algorithm 8)
as suggested by BCP 14.

5 - Zonemaster tests result

     5.1 - The most common misconfiguration is missing PTR records. Is it
clear, that African ccTLDs are not following RFC1912: “for every IP
address, there should be a matching PTR record”.  The second most
common misconfiguration is lame delegation. From end-user point of view,
the first resolution process will take more time than expected and will
increase the latency to the requested service. The resolver will try to
reach non existent NS. The third most common misconfigurations are
NSFAILED  (server not acting as DNS server: shared server with other
services ? Nat ? Firewall ?) and NORESPONSE (SERVFAIL: misconfiguration
on server side).

     5.2 - Strangely, some African ccTLDs servers  are not TCP and/or UDP
  and/or EDNS compliant. Moreover, we have seen inconsistent  SOA from
different servers of the same zone. This  could be explain by the  the
lack of usage of well known DNS synchronization zone techniques such as
AXFR or IXFR between nameservers. TCP, UDP, EDNS or SOA can be easy
fixed with consistent monitoring to find the root cause of these
misconfigurations.

Regards,
Alfred

-- 
Barrack Otieno

General Manager

Africa Top Level Domains Organization

+254721325277

www.aftld.org

'The Regional Association of African ccTLDs

More information about the Excom mailing list